Another Google redirect virus/rootkit, initial steps completed

By riverland1
Apr 29, 2010
Topic Status:
Not open for further replies.
  1. Seems others have been posting for help with this too. My problem may have come a rogue Antivirus XP 2010 infection. I am no longer getting any fake alerts. My search results in Google on both Firefox 3.6 and IE 8.0 seemed to be hijacked intermittently, The NoScript add-on for Firefox seems to intercept the attempted redirects and prevents the unwanted pages from loading but otherwise does not prevent the problem.

    I have noticed two other symptoms. Pages from microsoft.com on updating Windows software seemed to be blocked in both Firefox and IE. Attempts to download combofix.exe generate the following error message:

    C:\Documents and Settings\...\Desktop\ComboFix.exe could not be saved, because an unknown error occurred. Try saving to a different location.


    I can download this on another computer and move it over if needed.

    Steps:
    1. Have Comcast's McAfee Security Center. No infections found on full system scan.
    2. TFC run
    3. a. Can't access microsoft updates, but already have SP3
    b. Java updated to 6.02, old versions removed
    c. Adobe Reader updated to 9.3, old versions removed
    4. MBAM log attached
    5. Gmer log attached
    6. DDS logs attached

    Also nothing found with Spybot S&D. TDSS Killer finds a problem every time it runs and says it will cure it on reboot, but does not.

    Thanks!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Sometimes, running too many random programs can make matters worse. Let's try this first:


    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      ntcdrdrv;
      vsdatan
      pciinfo
      
      :Reg
      
      :Files  
      c:\windows\system32\drivers\hitmanpro35.sys
      c:\docume~1\alluse~1\applic~1\Hitman Pro
      c:\windows\system32\drivers\ntcdrdrv.syc
      c:\windows\system32\vsdatant.sys
      c:\docume~1\randyl~1.hp-\locals~1\temp\hpispz\hpdom\pciinfo.sys 
      
      :Folders
      c:\program files\Hitman Pro 3.5
      c:\windows\system32\Registry Patrol
      c:\program files\Registry Patrol
      
      :FCopy
      C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================


    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ========================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =====================
    Please do not use any other cleaning or scanning programs while I am helping you unless I instruct you to. Do not use a Registry cleaner or make and changes in the Registry.
  3. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    Thank you for your quick reply and willingness to help. Was able to run OTM, log provided below. ComboFix aborted at the point where it said it was going to change the clock. Did not do Eset scan because ComboFix step was not complete.

    OTM Log

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    Error: No service named ntcdrdrv; was found to stop!
    Service\Driver key ntcdrdrv; not found.
    Error: No service named vsdatan was found to stop!
    Service\Driver key vsdatan not found.
    Service pciinfo stopped successfully!
    Service pciinfo deleted successfully!
    ========== REGISTRY ==========
    ========== FILES ==========
    c:\windows\system32\drivers\hitmanpro35.sys moved successfully.
    c:\docume~1\alluse~1\applic~1\Hitman Pro folder moved successfully.
    File/Folder c:\windows\system32\drivers\ntcdrdrv.syc not found.
    File/Folder c:\windows\system32\vsdatant.sys not found.
    File/Folder c:\docume~1\...~1.hp-\locals~1\temp\hpispz\hpdom\pciinfo.sys not found.
    Error: Unable to interpret <:Folders> in the current context!
    Error: Unable to interpret <c:\program files\Hitman Pro 3.5> in the current context!
    Error: Unable to interpret <c:\windows\system32\Registry Patrol> in the current context!
    Error: Unable to interpret <c:\program files\Registry Patrol> in the current context!
    Error: Unable to interpret <:FCopy> in the current context!
    Error: Unable to interpret <C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys> in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 1792 bytes
    ->Temporary Internet Files folder emptied: 8156028 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 4160 bytes

    User: R....
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: ....HP-DV5139US
    ->Temp folder emptied: 307842 bytes
    ->Temporary Internet Files folder emptied: 164636 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 39467696 bytes
    ->Flash cache emptied: 0 bytes

    User: R...-

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 11292712 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 6781 bytes

    Total Files Cleaned = 57.00 mb


    OTM by OldTimer - Version 3.1.11.0 log created on 04292010_094004

    Files moved on Reboot...
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YGKPBN91\AdDisplayTrackerServlet[1].htm not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YGKPBN91\AdDisplayTrackerServlet[2].htm moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YGKPBN91\freq[1].html not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YGKPBN91\iframe3[1].htm moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YGKPBN91\pm_300_250[1].htm not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QIEWOGC7\AdDisplayTrackerServlet[1].htm not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QIEWOGC7\AdDisplayTrackerServlet[2].htm not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QIEWOGC7\iframe3[1].htm moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QIEWOGC7\pm_728_90_2[1].htm not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M6VQVYLV\AdDisplayTrackerServlet[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M6VQVYLV\afr[1].php moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M6VQVYLV\afr[2].php moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M6VQVYLV\st[7] moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\freq[1].html not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\freq[2].html not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\freq[3].html not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\jstags[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\pm_160_600[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\prep_ctr[1].php moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IBDIWSOT\syncuppixels[1].html moved successfully.
    File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.
    C:\WINDOWS\temp\fla99.tmp moved successfully.

    Registry entries deleted on Reboot...
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Okay, I'm going to need to move the files with script for Combofix. If you have this on your system now:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Now try installing and running.
    =====================
    Don't worry about the Windows update- you can handle that later.
    Please go ahead with the Eset scan- whether or not Combofix will run.
    ====================================
    Then I'd like you to run a scan with HijackThis:
    Please download HijackThis from here.
    • Save it to a permanent folder (such as C:\HJT).
    • Next, open HijackThis, and select Do a system scan and save a logfile.
    • A Notepad document will open. Please post the contents of that document.

    Please leave all logs and reports.
  5. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    I uninstalled ComboFix, reinstalled, and tried to run again. It aborted at the same point (i.e. suddenly shut down Windows and rebooted) again.

    The Eset online scan is in process. Will do HJT after it is done and post logs.
  6. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    ESET Scan Results
    C:\Documents and Setting\....HP-DV5139US\My Documents\Downloads\Anti Spyware\noadware.exe Win32/NoAdware application deleted - quarantined
    C:\Program Files\Registry Patrol\RegistryPatrol.exe a variant of Win32/Adware.RegistryPatrol application cleaned by deleting - quarantined

    HJT log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:45:43 PM, on 4/29/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Maxtor\Utils\SyncServices.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://vista.unm.edu/webct/entryPageIns.dowebct
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Epson Stylus NX510(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE /FU "C:\WINDOWS\TEMP\E_S2007.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176403356343
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {C3C304ED-7599-4A9D-8AD3-2F8648AFBD1A} (BLWebSlideNetViewerX Control) - http://www.bacuslabs.com/plugin/WEBSLIDE.EXE
    O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
    O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
    O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 12148 bytes
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Please do a right click on the Combofix setup> click on Rename and name it river.exe.
    Now try to run it.

    Regarding Hitman:
    It is set to start on boot. that means that while I'm trying to find the malware and remove it, the following are running in the background:
    The new version of Hitman Pro, version 3, uses:
    Hitman is bundled programs that can be gotten free on the internet- most without the permission of the authors. It is described as "Hitman Pro 3 is a fast all-in-one tool to find, identify and remove viruses, spyware, Trojan horses, rootkits and other malware. Hitman Pro 3 will reveal in minutes if your PC is infected with malicious software."

    But I ask myself whenever I see this program running in a log: "Then why is this person here asking to have malware cleaned?"

    Please reopen HijackThis to 'do system scan only.'. Check each of the following if present:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot


    Close all Windows except HijackThis and click on "Fix Checked

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Clik in Start> Settings> control Panel> Add/Remove Programs> Uninstall Hitman> Close Add/Remove Programs.
    Use Windows Explorer: Windows key + E> click on My Computer> double click on Local Drive (usually C)> Programs> scroll to the Hitman folder and do a right click> Delete.

    Reboot the computer.

    If you paid for the "full version", I suggest you ask for your money back. If you do not want to uninstall it because you paid for it, please take it off of startup and make sure no part of it is running while I am helping you clean.

    Please repeat the Eset scan and follow the directions :
    Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked Leave a new log- the full log please.
  8. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    1. Renamed ComboFix to river.exe and unfortunately it aborted at the same spot it has each time.

    I don't if this seems weird, but the malware seems to set up to make working with ComboFix difficult. As noted in my first post, originally I was blocked from downloading ComboFix from the web. So I downloaded it on another computer and emailed it to myself and was able to download the email attachment. Now when I try to download the email attachment, I get the same error message as I did when trying to download from the web. I then tried putting the file on a thumb drive (as river.exe) and I watched it get automatically deleted from the thumb drive when I put in it my laptop, i.e. I opened the folder it was in on the thumb drive and watched the file disappear before I could copy it.

    I then zipped the river.exe file and emailed it to myself. When I tried to extract it, it would get deleted from the folder the it was unzipped to. Finally, I was able to get the file out by double-clicking on the zip file and then copying the file without doing the extract. This all seems a little far-fetched to me that the file be would recognized when renamed and blocked from downloading, auto-deleted from a thumb drive, and deleted on zip extraction...but I swear that is what happened.

    2. Removed Hitman 3.5 per instructions.

    3. Re-ran ESET online scanner, this time per instructions (sorry about that). No threats found. Did not look like a log was generated...maybe because nothing was found?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Run TDSS Killer again and give me the log. If you have removed it:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
  10. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    I was not able to run TDSSkiller with the Run prompt command because I kept getting an error message about not being able to find C:\Documents. I ran the program without the extra command about the log file. It seems to generate a log file anyway in C:\, which I have included below.


    12:13:01:093 1788 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    12:13:01:093 1788 ================================================================================
    12:13:01:093 1788 SystemInfo:

    12:13:01:093 1788 OS Version: 5.1.2600 ServicePack: 3.0
    12:13:01:093 1788 Product type: Workstation
    12:13:01:093 1788 ComputerName: ALPHA1
    12:13:01:093 1788 UserName:
    12:13:01:093 1788 Windows directory: C:\WINDOWS
    12:13:01:093 1788 Processor architecture: Intel x86
    12:13:01:093 1788 Number of processors: 1
    12:13:01:093 1788 Page size: 0x1000
    12:13:01:093 1788 Boot type: Normal boot
    12:13:01:093 1788 ================================================================================
    12:13:01:109 1788 UnloadDriverW: NtUnloadDriver error 2
    12:13:01:109 1788 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    12:13:01:515 1788 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    12:13:01:515 1788 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    12:13:01:515 1788 wfopen_ex: Trying to KLMD file open
    12:13:01:515 1788 wfopen_ex: File opened ok (Flags 2)
    12:13:01:515 1788 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    12:13:01:515 1788 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    12:13:01:515 1788 wfopen_ex: Trying to KLMD file open
    12:13:01:515 1788 wfopen_ex: File opened ok (Flags 2)
    12:13:01:515 1788 Initialize success
    12:13:01:515 1788
    12:13:01:515 1788 Scanning Services ...
    12:13:02:062 1788 Raw services enum returned 405 services
    12:13:02:093 1788
    12:13:02:109 1788 Scanning Kernel memory ...
    12:13:02:109 1788 Devices to scan: 4
    12:13:02:109 1788
    12:13:02:109 1788 Driver Name: Disk
    12:13:02:109 1788 IRP_MJ_CREATE : F74CDBB0
    12:13:02:109 1788 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    12:13:02:109 1788 IRP_MJ_CLOSE : F74CDBB0
    12:13:02:109 1788 IRP_MJ_READ : F74C7D1F
    12:13:02:109 1788 IRP_MJ_WRITE : F74C7D1F
    12:13:02:109 1788 IRP_MJ_QUERY_INFORMATION : 804F355A
    12:13:02:109 1788 IRP_MJ_SET_INFORMATION : 804F355A
    12:13:02:109 1788 IRP_MJ_QUERY_EA : 804F355A
    12:13:02:109 1788 IRP_MJ_SET_EA : 804F355A
    12:13:02:109 1788 IRP_MJ_FLUSH_BUFFERS : F74C82E2
    12:13:02:109 1788 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    12:13:02:109 1788 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    12:13:02:109 1788 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    12:13:02:109 1788 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    12:13:02:109 1788 IRP_MJ_DEVICE_CONTROL : F74C83BB
    12:13:02:109 1788 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
    12:13:02:109 1788 IRP_MJ_SHUTDOWN : F74C82E2
    12:13:02:109 1788 IRP_MJ_LOCK_CONTROL : 804F355A
    12:13:02:109 1788 IRP_MJ_CLEANUP : 804F355A
    12:13:02:109 1788 IRP_MJ_CREATE_MAILSLOT : 804F355A
    12:13:02:109 1788 IRP_MJ_QUERY_SECURITY : 804F355A
    12:13:02:109 1788 IRP_MJ_SET_SECURITY : 804F355A
    12:13:02:109 1788 IRP_MJ_POWER : F74C9C82
    12:13:02:109 1788 IRP_MJ_SYSTEM_CONTROL : F74CE99E
    12:13:02:109 1788 IRP_MJ_DEVICE_CHANGE : 804F355A
    12:13:02:109 1788 IRP_MJ_QUERY_QUOTA : 804F355A
    12:13:02:109 1788 IRP_MJ_SET_QUOTA : 804F355A
    12:13:02:140 1788 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    12:13:02:140 1788
    12:13:02:140 1788 Driver Name: Disk
    12:13:02:140 1788 IRP_MJ_CREATE : F74CDBB0
    12:13:02:140 1788 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    12:13:02:140 1788 IRP_MJ_CLOSE : F74CDBB0
    12:13:02:140 1788 IRP_MJ_READ : F74C7D1F
    12:13:02:140 1788 IRP_MJ_WRITE : F74C7D1F
    12:13:02:140 1788 IRP_MJ_QUERY_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_EA : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_EA : 804F355A
    12:13:02:140 1788 IRP_MJ_FLUSH_BUFFERS : F74C82E2
    12:13:02:140 1788 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_DEVICE_CONTROL : F74C83BB
    12:13:02:140 1788 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
    12:13:02:140 1788 IRP_MJ_SHUTDOWN : F74C82E2
    12:13:02:140 1788 IRP_MJ_LOCK_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_CLEANUP : 804F355A
    12:13:02:140 1788 IRP_MJ_CREATE_MAILSLOT : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_SECURITY : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_SECURITY : 804F355A
    12:13:02:140 1788 IRP_MJ_POWER : F74C9C82
    12:13:02:140 1788 IRP_MJ_SYSTEM_CONTROL : F74CE99E
    12:13:02:140 1788 IRP_MJ_DEVICE_CHANGE : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_QUOTA : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_QUOTA : 804F355A
    12:13:02:140 1788 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    12:13:02:140 1788
    12:13:02:140 1788 Driver Name: Disk
    12:13:02:140 1788 IRP_MJ_CREATE : F74CDBB0
    12:13:02:140 1788 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
    12:13:02:140 1788 IRP_MJ_CLOSE : F74CDBB0
    12:13:02:140 1788 IRP_MJ_READ : F74C7D1F
    12:13:02:140 1788 IRP_MJ_WRITE : F74C7D1F
    12:13:02:140 1788 IRP_MJ_QUERY_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_EA : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_EA : 804F355A
    12:13:02:140 1788 IRP_MJ_FLUSH_BUFFERS : F74C82E2
    12:13:02:140 1788 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
    12:13:02:140 1788 IRP_MJ_DIRECTORY_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_DEVICE_CONTROL : F74C83BB
    12:13:02:140 1788 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
    12:13:02:140 1788 IRP_MJ_SHUTDOWN : F74C82E2
    12:13:02:140 1788 IRP_MJ_LOCK_CONTROL : 804F355A
    12:13:02:140 1788 IRP_MJ_CLEANUP : 804F355A
    12:13:02:140 1788 IRP_MJ_CREATE_MAILSLOT : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_SECURITY : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_SECURITY : 804F355A
    12:13:02:140 1788 IRP_MJ_POWER : F74C9C82
    12:13:02:140 1788 IRP_MJ_SYSTEM_CONTROL : F74CE99E
    12:13:02:140 1788 IRP_MJ_DEVICE_CHANGE : 804F355A
    12:13:02:140 1788 IRP_MJ_QUERY_QUOTA : 804F355A
    12:13:02:140 1788 IRP_MJ_SET_QUOTA : 804F355A
    12:13:02:140 1788 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    12:13:02:140 1788
    12:13:02:140 1788 Driver Name: atapi
    12:13:02:140 1788 IRP_MJ_CREATE : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_CREATE_NAMED_PIPE : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_CLOSE : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_READ : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_WRITE : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_QUERY_INFORMATION : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SET_INFORMATION : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_QUERY_EA : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SET_EA : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_FLUSH_BUFFERS : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SET_VOLUME_INFORMATION : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_DIRECTORY_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_FILE_SYSTEM_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_DEVICE_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SHUTDOWN : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_LOCK_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_CLEANUP : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_CREATE_MAILSLOT : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_QUERY_SECURITY : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SET_SECURITY : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_POWER : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SYSTEM_CONTROL : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_DEVICE_CHANGE : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_QUERY_QUOTA : 8A7EAAC8
    12:13:02:140 1788 IRP_MJ_SET_QUOTA : 8A7EAAC8
    12:13:02:140 1788 Driver "atapi" infected by TDSS rootkit!
    12:13:02:156 1788 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
    12:13:02:156 1788 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:13:02:156 1788 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
    12:13:02:156 1788 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    12:13:02:328 1788 vfvi6
    12:13:02:578 1788 !dsvbh1
    12:13:05:765 1788 dsvbh2
    12:13:05:765 1788 fdfb2
    12:13:05:765 1788 Backup copy found, using it..
    12:13:05:765 1788 will be cured on next reboot
    12:13:05:765 1788 Reboot required for cure complete..
    12:13:05:875 1788 Cure on reboot scheduled successfully
    12:13:05:875 1788
    12:13:05:875 1788 Completed
    12:13:05:875 1788
    12:13:05:875 1788 Results:
    12:13:05:875 1788 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
    12:13:05:875 1788 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    12:13:05:875 1788 File objects infected / cured / cured on reboot: 1 / 0 / 1
    12:13:05:875 1788
    12:13:05:875 1788 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    12:13:05:875 1788 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    12:13:05:875 1788 UnloadDriverW: NtUnloadDriver error 1
    12:13:05:875 1788 KLMD(ARK) unloaded successfully
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Okay- it found and fixed the file! Please see if you can run Combofix now.

    After Combofix, please run this:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I will be able to see the replaced file in Combofix. Please leave both logs in next reply.
  12. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    While TDSSKiller seems to find the infection, it does not cure it on reboot, i.e. if you run TDSSKiller again after rebooting, it just finds the same problem again. I have tried running ComboFix again after TDSSKiller (both before and after reboots) and ComboFix aborts in the same spot as the other times I have tried to run it.

    Randy
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    As I said at the beginning, you ran a lot of programs trying to fix something when you didn't really know what was broken! Please do these 2 things:

    1. Run the Eset scan and leave the log.
    2. Try Combofix again-when/if it stops, look at the clock on the computer and note the time- then do this: The Errors are time-coded. See if there is a System or App error at the time you noted Combofix stopped:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    There is another program I can have you run if needed.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Due to lack of activity, this thread is being closed.
    If you need further help, please send a PM to your helper and include the URL of the thread.
  15. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    Sorry it took me awhile to get to these next steps but I was very busy the past few days with other stuff...

    1. ESET scan completed...log below.

    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=21ab28d4b5418f4badb0eaaef87b47e4
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=false
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-05-17 09:06:30
    # local_time=2010-05-17 03:06:30 (-0700, Mountain Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 1536611 1536611 0 0
    # compatibility_mode=5121 16776869 100 96 3369798 26957031 0 0
    # compatibility_mode=6143 16777215 0 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 689764 689764 0 0
    # scanned=120979
    # found=0
    # cleaned=0
    # scan_time=10083

    2. ComboFix aborted at same place it always does. I paid attention to the time. It started running at 11:53am and had to update itself. It aborted at 11:59:06. These are the Error events around that time, nothing right at that time, but the earlier one is when ComboFix was running, sometime around after the update was completed I think. The other two are after the abort, probably during the reboot that happens automatically after the abort.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7034
    Date: 5/17/2010
    Time: 11:54:56 AM
    User: N/A
    Computer: ALPHA1
    Description:
    The Process Monitor service terminated unexpectedly. It has done this 1 time(s).


    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 45
    Date: 5/17/2010
    Time: 11:59:50 AM
    User: N/A
    Computer: ALPHA1
    Description:
    The system could not sucessfully load the crash dump driver.


    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 49
    Date: 5/17/2010
    Time: 11:59:50 AM
    User: N/A
    Computer: ALPHA1
    Description:
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
  16. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    Windows ran an automatic scan on my computer last night without any intervention from me. I found the following in the mrt.log file:


    Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
    Started On Tue May 18 03:02:57 2010
    WARNING: Security policy doesn't allow for all actions MSRT may require.
    Quick Scan Results for E3AE4240-86F4-48F9-B6D7-B1173E4BC23A:
    ----------------
    Threat detected: Virus:Win32/Alureon.H
    rootkit://Alureon->isapnp
    SigSeq: 0x000035A9D6C58B30

    Results Summary:
    ----------------
    Found Virus:Win32/Alureon.H, full system scan needed to complete removal
    Microsoft Windows Malicious Software Removal Tool Finished On Tue May 18 03:05:37 2010


    Return code: 7 (0x7)

    ---------------------------------------------------------------------------------------

    Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
    Started On Tue May 18 03:24:09 2010

    Quick Scan Results for E3AE4240-86F4-48F9-B6D7-B1173E4BC23A:
    ----------------
    Threat detected: Virus:Win32/Alureon.H
    rootkit://Alureon->isapnp
    Microsoft Windows Malicious Software Removal Tool Finished On Tue May 18 11:25:08 2010


    Return code: 7 (0x7)
  17. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Here is the result of the MSRT full scan and a screenshot:

    Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
    Started On Tue May 18 11:45:31 2010

    Extended Scan Results
    ----------------
    ->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
    ->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
    Threat detected: TrojanDownloader:JS/Renos
    file://C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\V9CPTHRH\go[1].htm
    SigSeq: 0x00010129C942DE79
    SHA1: 0822E697FB379213D7CCF76C0D77CB686690DCDB
    Threat detected: Virus:Win32/Alureon.H
    rootkit://Alureon->isapnp
    SigSeq: 0x000035A9D6C58B30

    Extended Scan Removal Results
    ----------------
    Start 'remove' for file://\\?\C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Content.IE5\V9CPTHRH\go[1].htm
    Operation succeeded !

    Start 'clean' for rootkit://Alureon->isapnp
    Operation failed (code=0x8026), please use a full antivirus product ! !

    Start 'remove' for file://\\?\C:\Documents and Settings\Randy Lahr.HP-DV5139US\Local Settings\Temporary Internet Files\Content.IE5\V9CPTHRH\go[1].htm
    Operation succeeded !


    Results Summary:
    ----------------
    Found Virus:Win32/Alureon.H, partially removed.
    Found TrojanDownloader:JS/Renos and Removed!
    Microsoft Windows Malicious Software Removal Tool Finished On Tue May 18 16:52:49 2010


    Return code: 7 (0x7)

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Nice screenshot! Do you give lessons? :)

    Please disable this: c:\program files\Registry Patrol
    Most of us do not recommend the use of a Registry cleaner. If you want to keep it, okay, but is shouldn't run while we are cleaning.

    Also disable the McAfee Script Proxy: c:\program files\mcafee\virusscan\scriptsn.dll

    You have the downloaded Combofix on the desktop- is that correct? If yes, try the following: There are 3 different ways to try and get Combofix to run. Anyone that works is fine, then don't do the others:
    1. Start the scan and decline the update.
    2. Go into Safe Mode and run Combofix:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    3. Disconnect from the internet (File> Work Offline)> Boot into Same Mode with Networking> Disable any McAfee processes that are running> Try Combofix.
    ====================================
    If you were able to get Combofix to run, do the following:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\ntcdrdrv.sys
    c:\docume~1\randyl~1.hp-\locals~1\temp\hpispz\hpdom\pciinfo.sys
    c:\windows\system32\vsdatant.sy
    
    Folder::
    
    DDS::
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
    DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
    DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF}
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    
    Registry::
    
    Driver::
    ntcdrdrv
    pciinfo
    vsdatant
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Run this online scan: Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Don't be concerned with the MSRT find- we know the system isn't clean yet.
  19. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    ComboFix finally ran. Whew! Here is the log it generated after running. I still need to do the next step with the script, so sorry if this log is premature, but wanted to get it sent along in case it gets overwritten in subsequent steps.

    Attached Files:

  20. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    I have Kaspersky Online Scan running now, looks like it is going to take awhile. In the meantime, here is the ComboFix log from running it with the script you supplied.

    Attached Files:

  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Okay- coming along nicely. Still have some Hitman to remove:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    
    Folder::
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  22. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Wednesday, May 19, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, May 19, 2010 15:03:13
    Records in database: 4134826
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    Z:\

    Scan statistics:
    Objects scanned: 118850
    Threats found: 2
    Infected objects found: 2
    Suspicious objects found: 0
    Scan duration: 03:34:29


    File name / Threat / Threats count
    C:\Documents and Settings\...\My Documents\Downloads\Anti Spyware\TrojanHunter.exe Infected: Trojan.Win32.Siscos.re 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

    Selected area has been scanned.
  23. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    OK, ran ComboFix again to kill Hitman residue. Log attached.

    1. ComboFix detected a concerning dll file when it was trying to run. See attached screenshot for warning message.

    2. Then ComboFix gave a message saying it detected rootkit activity and had to reboot. It was able to do so and continue running. This rootkit warning happened the first time I got CF to run, but not the second time I ran it (i.e. with the first script you supplied). Now it showed up again on this third run.

    3. The log says it failed to delete the concerning dll file.

    I wanted to let you know that after Friday I will likely be away from my computer for ~ 3 weeks.

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    I don't know why Combofix would bother with that warning. The TDSS Rootkit was removed on reboot and the process in the Combofix warning is for the Logitech webcam. It is started by this Service:
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

    Try setting the Service to Manual:
    Start> Run> type in services.msc[/b[> double click on LVComSer> change Startup type to Manual> Stop the Service.
    Exit Services.

    I'd like to see another scan from the Eset online AV. Do you have time to do that?
    Let me know when you get back.
  25. riverland1

    riverland1 Newcomer, in training Topic Starter Posts: 20

    Bobbye,

    I looked up this filename via Google yesterday and found the following description at http://www.file.net/process/lvprcinj01.dll.html...

    The process Camera Helper Library or LVPrcInj01.dll belongs to the software Logitech QuickCam by Logitech Inc (www.logitech.com).

    Description: LVPrcInj01.dll is located in a subfolder of C:\Windows. The file size on Windows XP is 109,080 bytes. A .dll file (Dynamic Link Library) is a special type of Windows program containing functions that other programs can call. This .dll file can be injected to all running processes and can change or manipulate their behavior. The program is not visible. File LVPrcInj01.dll is a Verisign signed file. The file has a digital signature. The service has no detailed description. It can change the behavior of other programs or manipulate other programs. It is not a Windows system file. Therefore the technical security rating is 48% dangerous, however also read the users reviews.

    Important: Some malware camouflage themselves as LVPrcInj01.dll, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the LVPrcInj01.dll process on your pc whether it is pest.


    Know you don't need a description of what a dll file is, but he last part of the above was concerning...so I checked the filesize on my computer and it is 109,080 bytes as described. That seems reassuring.

    Its properties say it was created May 19, 2010, 5:26:53 PM, which is when I was running ComboFix...does that seem weird or suspicious, i.e. if it is a legit Logitech file, would it not have existed before then? It also looks like ComboFix tried to delete the file and could not...would that be likely if this is a legit file?

    Maybe you can tell from your analysis of the logs if this is an OK file or not, so sorry if this is all speculative overkill.

    I was able to go through the steps with services.msc without any problem, that is completed.

    I should be able to do another ESET scan this afternoon and have the results for you in a couple hours. I can probably do some more steps tomorrow if needed. I'll let you know when I won't be able to more until I come back.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.